E-Voting in Europe Workshop, Austria

After a few days to re-synchronise I can now report some thoughts on the European Science Foundation’s E-Voting in Europe Workshop held in Bregenz, Austria.

There was an interesting mix of attendees ranging from academics, testing lab employees, civil servants, suppliers and electoral lawyers. The quality and openness of the debate was without a doubt the highest I have experienced at any e-voting event, other attendees commented to similar effect. Nevertheless I would say that the underlying assumption was still that implementation of e-voting is a matter of when and not if. But when for this group was further off (7-10 years) than others, such as the UK government, might hope.

The first day kicked off with Michael Remmert talking about the recently finalised Council of Europe standards on e-voting. I haven’t had a chance to look at the latest draft in detail but I find it interesting to note that they currently recommend Election Markup Language (EML) for encouraging vendor interoperability. I helped to write the first drafts of EML, my experiences forming part of a forthcoming paper. EML has its failings but it’s gratifying to see it still being referred to.

Most of the other presentations were pretty much as expected. Many speaking of e-voting improving turnout with no evidence to back such claims. Nadja Braun, a lawyer from the Federal Chancellry of Switzerland, accepted that in the short term cost savings wouldn’t be found in implementing e-voting. Her sensible presentation was unfortunately marred by a comment in response to a question where she claimed that Switzerland could take higher risks with voting systems because “it wasn’t Eastern Europe.”

Results from several surveys were presented which generally indicated a high level of confidence in the systems used by voters. Anne Marie Oostven, in an excellent presentation which won the best paper award, showed how important voter education is. She surveyed users of a system which was supposed to have had a voter verification process. The verification process never made it into the final software but by this time surveys had already been printed asking about the feature. Even without any voter verifiability voters reported a very high level of trust in the verification process! I loved this presentation for so many reasons – it was well put together, the results highlighted how we cannot assume voters will instinctively see the risks in e-voting and it was a finding emerging from an unintended sequence of events. The best of science!

Christopher Soghoian, a PhD student supervised by Avi Rubin at the John Hopkins Information Security Institute, also had a great little presentation. Chris and his colleagues asked a group of students to write ‘good’ software for DREs and also compromised software with hidden backdoors. Some backdoors were concealed in whitespace and others in image files – lots of creative approaches were tried. Then… here comes the fun part, each team of students was given three of their DRE programs. They had to find if there were any backdoors or exploits hidden in the code. The students knew that one program was ‘good’, one was ‘bad’ and one unknown.

It was found that those good at making backdoors were often poor at spotting backdoors in code, especially those that were hidden in methods not used by those examining the code. In other words code auditing requires different skills to writing clever code. Chris finished up his presentation with a proposal that security services such as NSA and GCHQ take a role in examining e-voting code. A good idea, I think, as it’s likely that our enemies’ services will be trying to examine our e-voting systems. Finally he mentioned that Avi wants to test how reliable the code certifying labs are by submitting the code of a real DRE system compromised with an exploit inserted by the John Hopkins crew. If the lab catches the exploit then so much the better, if not then we begin to worry even more. This is a superb idea, airport security regularly gets tested with government agents trying to smuggle guns or bomb-like apparatus past the security checks. Shouldn’t certification labs also be kept on their toes?

A presentation from Spanish e-voting supplier Scytl was interesting for how underwhelmed many felt once it was over. Scytl have made some very large claims about their system in papers and press coverage. In his presentation their founder Dr Andreu Riera said “The magic thing is that if that server is kept honest then the whole system is honest!” I begin to worry whenever magic is mentioned in the context of technology… There are several potential problems I can see with their system but the most surprising is the poor voter verification. Their system provides an electronic verification code which only proves (if you trust the system and it hasn’t been compromised) that your ballot has been decrypted. Why does a voter care about this? Verification of my vote being accurately recorded and (ideally) counted is what I care about. Verification of vote decryption is a procedural notification… imagine if Amazon would inform you when they had successfully encrypted your credit card details for sending to the bank for processing… I wouldn’t care. I want to know when I’m going to get my book. Scytl would have been much better served if they hadn’t burst into the e-voting community making such huge claims.

Some interesting new legal issues were raised by several speakers. In particular Niels Meißner, Volker Hartmann and Dieter Richter from Physikalisch-Technische Bundesanstalt, Germany raised the problem of “intermediate storage”. This problem is concerned over what the legal status is of a vote between a voter clicking ‘send’ and a server recording the vote. Does the vote count as being cast or is it still technically in the voter’s hand? This is particularly important when considering what happens when an election closes with votes still in transit.

The final day of presentations began with a presentation by Alexandros Xenakis from the International Teledemocracy Centre at the University of Napier. Essentially his presentation regurgitated portions of Electoral Commission reports on the e-voting pilots 2002-2003 conducted in Sheffield and St.Albans. When asked why he had omitted the cost of £75 per vote cast that Sheffield incurred in 2003 and costs in general, Xenakis responded that as a Greek citizen he didn’t care how the UK government spent their money! Ok… but still for those in other countries trying similar experiments costs would be of interest, I imagine.

I’m a big fan of public disclosure. Tell people your interests and let them decide your motivations. So I couldn’t help but raise an issue with Xenakis during his Q&A period. The International Teledemocracy Centre is funded by British Telecom (BT) and in fact all the pilots Xenakis examined were run by BT. I don’t think there’s a conspiracy there but I do know that this BT connection at least got Xenakis access to what were otherwise closed pilot activities. It would be professional to raise these facts and let fellow academics draw their own conclusions. It’s also courteous and sensible as it prevents accusations of impropriety at a later date. Xenakis claimed his paper was a comparative analysis of publicly available documents – not publishing cost figures or the fact that BT was the main supplier seems a little odd. Xenakis didn’t take kindly to my interjections but my day was going to get even more antagonistic…

But first Margaret McGaley gave a fun and clear presentation on the mess that has been e-voting in the Republic of Ireland. It was incredible to hear that her co-author had spent thousands of Euros on freedom of information requests on the e-voting system due to repeated government attempts to block his access. This resulted in Margaret’s supervisor going to appeal which he invariable won. Freedom of Information should not be costing interested citizens thousands… crazy!

I hadn’t submitted a paper to this workshop as I’d thought I’d be at another conference which didn’t work out in the end. But as the workshop progressed I felt that I could contribute something on the European push for voter verifiability][fp_vv]. I asked Robert Krimmer, one of the conference organisers, if I could have ten minutes to speak and he very kindly agreed. Unfortunately the session chair hadn’t been briefed and was ready to run to coffee before Robert managed to reign in the brewing caffeine stampede to let me do my bit. It didn’t start well with everyone wanting their cup of joe but I pushed onwards with a very short presentation I call “Voter Verifiability: The Elevator Pitch” which is a micro version of something I presented at the University of Bournemouth to a very positive response.

Perhaps I didn’t judge my crowd so well but I went for it (as I normally do) with lovely Keynote slides, Salling Clicker enabled Bluetooth phone controlling my Powerbook and yours truly walking around the whole conference room. When compared to people stuck behind a podium with 30-odd Powerpoint slides apiece I probably wasn’t fitting in.

Anyways I did my piece, at the end of which the session chair promptly pushed everyone to coffee with no time at all for Q&A. At this point Thomas Buschbaum, from the Federal Ministry for Foreign Affairs came up to me. He said that I had not been sufficiently subdued or academic. He felt that I had been campaigning and should have been thrown out – I would have been if I was a supplier, he felt. He challenged my credentials and academic standing in a rather abrupt manner. I replied that I did not feel he was adressing me in an appropriate way. I continued stating that he did not have to agree with me but listening to the varying viewpoints was key to government gaining legitimacy for introducing a change such as e-voting. He responded saying that just because I couldn’t build a workable e-voting system didn’t mean one wasn’t possible. As I began to respond he lifted his hand in front of my face and blocked me from his view. He would not acknowledge me from that point onwards.

Indeed from that point on, until the workshop ended that afternoon most people seemed to steer clear from me. Some ‘friendlies’ suggested that I could have taken a softer approach and spoken less loudly. I was very much surprised, my presentation had been short and uncontroversial merely summarising the arguments for and against e-voting, highlighting Florida 2000 as an example of where voters’ intentions were not accurately recorded before explaining voter verifiable audit trails and showing the web address for the European campaign for voter verifiable e-voting. I did ask people to support the resolution on voter verifiability, so what? A resolution for e-voting would surely have been accepted with grace.

It was a shame that such an excellent workshop was marred, for me at least, by the events of the final day. But still it was wonderfully organised and an excellent range of people attended the event. Yes, they seem mostly optimistic about e-voting in the long term, but many could also see most of the problems. That’s step one, I just hope that they will give people like me a chance to explain why vendor assurances aren’t enough to say that the key challenges in e-voting have been successfully overcome. That will be step two.

Comments copied from the previous version of my blog:

Never mind. The Minister is a far-right womanoid lifeform of depressing nature, much given to poor imitations of Thatcher, and it’s no surprise that the ogre’s character will filter down to her dwarves. Congrats on pissing off a dull and dishonest little government!
12:03:21 GMT 15-07-2004 Alex

I cannot understand why this workshop has been marred for you, just because you met one person of the austrian foreign ministry who is not as diplomatically skilled as one might have assumed. There was only one coffee break left after your lecture, so your perception that most people would have steemed clear from you cannot be based on sufficient data ;-), I think.

The form of your presentation has been absoutely adequate to the content. There was no doubt that you were rallying for your resolution. This campaigning was absoutely profesionally and adequately done – a perfect show! I agree with you that a pro e-voting resolution campaign would also have fitted perfectly into the workshop. I don’t think that it would have been ok to include a corresponding paper to your lecture into the proceedings volume as the style would not have been similar to that of the other papers. But the lecture you gave was just great and had a very appropriate style.

And nobody but one person assumed that just because you did a very good campaign show and you didn’t tried too hard to show off with your academic regalia, that you do not have a perfect academic standing.
07:43:53 GMT 28-07-2004 Peter Wilm

Kind words
Thank you for your kind words Peter, perhaps it seemed worse at the time then it does now 🙂
15:08:07 GMT 28-07-2004 Jason Kitcat